Change secrets Replace to modify the ID

We decided that podman secret create --replace should match behaviour of podman container create --replace, so the ID should change. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Jun 28, 2023 · 85b2370 · 85b2370
1 parent 65a52f4
commit 85b2370
Showing 2 changed files with 15 additions and 19 deletions.
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
@@ -144,26 +144,19 @@ func NewManager(rootPath string) (*SecretsManager, error) {
 	return manager, nil
 }
 
-func (s *SecretsManager) newSecret(name string) (*Secret, error) {
-	secr := new(Secret)
-	secr.Name = name
-	secr.CreatedAt = time.Now()
-	secr.UpdatedAt = secr.CreatedAt
-
+func (s *SecretsManager) newID() (string, error) {
 	for {
 		newID := stringid.GenerateNonCryptoID()
 		// GenerateNonCryptoID() gives 64 characters, so we truncate to correct length
 		newID = newID[0:secretIDLength]
 		_, err := s.lookupSecret(newID)
 		if err != nil {
 			if errors.Is(err, ErrNoSuchSecret) {
-				secr.ID = newID
-				break
+				return newID, nil
 			}
-			return nil, err
+			return "", err
 		}
 	}
-	return secr, nil
 }
 
 // Store takes a name, creates a secret and stores the secret metadata and the secret payload.
@@ -197,13 +190,10 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 		}
 		secr.UpdatedAt = time.Now()
 	} else {
-		if options.Replace {
-			return "", fmt.Errorf("%s: %w", name, ErrNoSuchSecret)
-		}
-		secr, err = s.newSecret(name)
-		if err != nil {
-			return "", err
-		}
+		secr := new(Secret)
+		secr.Name = name
+		secr.CreatedAt = time.Now()
+		secr.UpdatedAt = secr.CreatedAt
 	}
 
 	if options.Metadata == nil {
@@ -225,13 +215,19 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 	if err != nil {
 		return "", err
 	}
+
 	if options.Replace {
 		err = driver.Delete(secr.ID)
 		if err != nil {
 			return "", fmt.Errorf("replacing secret %s: %w", name, err)
 		}
 	}
 
+	secr.ID, err = s.newID()
+	if err != nil {
+		return "", err
+	}
+
 	err = driver.Store(secr.ID, data)
 	if err != nil {
 		return "", fmt.Errorf("creating secret %s: %w", name, err)

diff --git a/pkg/secrets/secrets_test.go b/pkg/secrets/secrets_test.go
@@ -74,8 +74,8 @@ func TestAddSecretAndLookupData(t *testing.T) {
 	storeOpts.Replace = true
 	id2, err := manager.Store("mysecret", []byte("mydata"), drivertype, storeOpts)
 	require.NoError(t, err)
-	if id1 != id2 {
-		t.Errorf("error: secret id after Replace should be same")
+	if id1 == id2 {
+		t.Errorf("error: secret id after Replace should be different")
 	}
 
 	s, _, err = manager.LookupSecretData("mysecret")